The issue comes from the first line, an unconvenient mix of declarations and assignments:

var tag = node = Ext.apply({...})

The developer thought he was initializing 2 local vars called tag and node.

Let’s take something simple:

function test(){
var a = b = 2;
alert(a, b);
}
test();
alert(b);

In the first line, javascript starts by evaluating b = 2. This is an assignment of 2 to the variable b. Because b does not exist, javascript creates a new global variable b and attaches it to the current context, window. (note that this would throw a ReferenceError exception if we were in strict mode).

A quick ref to ECMA-262 shows that assignments return the value that was just assigned. You can double check that in your console eval(b = 2); returns 2.

So now the compiler has evaluated the first expression and now reads var a = 2 since 2 was evaluated. This correctly creates a local variable a containing the value 2 through a declaration, or more precisely a VariableStatement. note that eval(var b = 2); returns undefined.

Anyways… don’t mix up var a = [value] with a = [value] as they are completely different expressions that evaluate to different values and can create unexpected surprises…

I was so caught up with different projects, work, family, the move to the us… That i hadn’t touched that plugin for almost 9 months… I finally decided to make it a priority to fix what needed to be fixed and improve what had to be improved.

So here comes 2.0.0:

– Flexible responsive design
– Full support of bootstrap 3
– An entire new home with a showcase, tutorials, an amazing documentation full of examples, etc.
– A bunch of fixes and improvements.

At qualys we often work with complex json objects that we have to debug. I just found out that chrome dev tools include a copy command that allows to copy any variable into the clipboard. This can be useful to retrieve full json objects:

copy(JSON.stringify(obj))

The object can then be displaying in a nice formatted way using a plugin within sublime or using an online formatter.

With the immense amount of security updates forced onto our dear os’s each day, you’d really wonder why one of those updates hasn’t completely banned wep encryption keys for securing wifi networks. This is now 2014, the wep keys have been and can be broken so easily and faster than before (we’re talking 20 secs to a few minutes..) that they shouldn’t be allowed for further use. And yet today anyone can just walk the streets and easily find targets to sniff and crack:

I’m currently sitting in terminal 5 of the heathrow airport finishing a blueberry muffin while waiting for my corresponding flight back home once again, as I want to reconnect to the digital world, I am greeted with a 30-minute limit of free wifi. It seems like it is becoming a global trend in coffee shops and other public places nowadays. Anyways here is the procedure to circumvent such limits by spoofing your mac address:

On a mac/linux:ifconfig to find the status: active network interface. On the latest pros and airs, it should be en0. Note the mac address somewhere to revert back once the operation is complete.

I’ve been meaning to write about this for a long time. Windows 7 at its core has a huge security flaw that can easily be exploited to log into any machine you have physical access to.

It all starts at the password-protected login screen (winlogon.exe). There you find 2 important information:
– The user names
– The accessibility shortcuts still work (try hitting leftalt+leftshift+printscr from the login screen)

To enable those, winlogon.exe executes another exe: sethc.exe (you may have already the sticky-keys dialog popup that it triggers)

The flaw comes from the fact that winlogon executes c:\windows\system32\sethc.exe no matter what the file actually is.
If you can replace that file with a command prompt, this means that you can access the prompt from the login screen.
this can easily be exploited to change the user’s password and bypass the login screen:

Use each of the numbers 1, 3, 4, and 6 exactly once with any of the four basic math operations (addition, subtraction, multiplication, and division) to total 24. Each number must be used once and only once, and you may define the order of operations; for example, 3 * (4 + 6) + 1 = 31 is valid, however incorrect, since it doesn’t total 24.

My phone has become my everyday tool. I use it to check my mail, write blog posts, check my bank accounts, play games, perform transactions. I use it so much I often forget that it holds so much sensible data. If you were to get your phone stolen by someone, what passwords or accounts would he have access to? My phone checks my mail automatically on all my accounts. Very convenient. But I realized today that this convenience is an expensive asset. You think your paypal account is safe? Anyone can ask for your password to be reseted. If that someone has access to your automatically-checked mailboxes, he has access to your bank account, your facebook profile, and pretty much your entire digital life.

All of that digital life in the palm of my hands or in my backpocket is a danger I tend to overlook.

Some of you may have some locking mechanism such as a 4-digit phone pin… But really, when was the last time you made sure noone was looking as you entered your pin #… (even worse: most people choose the same pin # on their phone as their credit card pin #) I personnally think it’s better not to have any locking mechanism on your phone and behave like it has absolutely no security rather than believe in the illusion of its security.

I need to find another way to authenticate myself to my mail servers on my phone.